diff --git a/bower_components/forge/js/hmac.js b/bower_components/forge/js/hmac.js
index fd3de29..46fa660 100644
--- a/bower_components/forge/js/hmac.js
+++ b/bower_components/forge/js/hmac.js
@@ -77,8 +77,6 @@ hmac.create = function() {
         }
       }
 
-      console.log('forge key', key);
-
       // if key is longer than blocksize, hash it
       var keylen = key.length();
       if(keylen > _md.blockLength) {
diff --git a/bower_components/forge/js/util.js b/bower_components/forge/js/util.js
index 294c41b..9708b5b 100644
--- a/bower_components/forge/js/util.js
+++ b/bower_components/forge/js/util.js
@@ -1602,7 +1602,14 @@ util.decode64 = function(input) {
  * @return the UTF-8 encoded string.
  */
 util.encodeUtf8 = function(str) {
-  return unescape(encodeURIComponent(str));
+  var escstr = encodeURIComponent(str);
+  // replaces any uri escape sequence, such as %0A,
+  // with binary escape, such as 0x0A
+  var binstr = escstr.replace(/%([0-9A-F]{2})/g, function(match, p1) {
+    return String.fromCharCode(parseInt(p1, 16));
+  });
+
+  return binstr;
 };
 
 /**
@@ -1612,8 +1619,16 @@ util.encodeUtf8 = function(str) {
  *
  * @return the UTF-16 encoded string (standard JavaScript string).
  */
-util.decodeUtf8 = function(str) {
-  return decodeURIComponent(escape(str));
+util.decodeUtf8 = function(binstr) {
+  var escstr = binstr.replace(/(.)/g, function (m, p) {
+    var code = p.charCodeAt(0).toString(16).toUpperCase();
+    if (code.length < 2) {
+      code = '0' + code;
+    }
+    return '%' + code;
+  });
+
+  return decodeURIComponent(escstr);
 };
 
 // binary encoding/decoding tools
diff --git a/phone.js b/phone.js
index f3c9d2d..643d185 100644
--- a/phone.js
+++ b/phone.js
@@ -89,7 +89,8 @@
     meta = otplink.pathname.replace(/.*\/totp\//, '').split(':');
     // TODO throw if otp.issuer !== decodeURI(meta[0])
     if (meta.length > 1) {
-      issuer = otp.issuer || decodeURI(meta[0]);
+      // TODO why is there an extra leading '/' on iOS webview?
+      issuer = otp.issuer || decodeURI(meta[0]).replace(/^\//, '');
       accountName = decodeURI(meta[1]);
     }
     else {
@@ -104,6 +105,7 @@
 
     $('.js-issuer').text(issuer);
     $('.js-account-name').text(accountName);
+
     Authenticator.generateToken(otp.secret).then(function (token) {
       $('.js-token').text(token.replace(/(\d{3})/g, '$1 ').trim());
     });
diff --git a/test.js b/test.js
index 184b925..723db7c 100644
--- a/test.js
+++ b/test.js
@@ -63,6 +63,11 @@ function generate(ke) {
 $('.js-verify').addEventListener('click', function () {
   var token = $('.js-token').value;
 
+  if (!/.*\d{3}.*\d{3}.*/.test(token)) {
+    window.alert("must have a 6 digit token");
+    return;
+  }
+
   Authenticator.verifyToken(key, token).then(function (result) {
     var msg;
     if (result) {
@@ -74,6 +79,9 @@ $('.js-verify').addEventListener('click', function () {
     console.info('verify', msg);
     window.alert(msg);
   }, function (err) {
+    window.alert('[ERROR]:' + err.message);
+    window.alert('[ERROR]:' + err.stack);
+
     console.error('ERROR');
     console.error(err);
   });